The Private Cloud Gets Some Respect

A hospital CIO and a security expert take a cautious approach to the ‘private’ cloud

The cloud has been getting a lot of press lately—and not surprisingly, given the rapidly escalating data storage needs at many hospitals. Yet while many CIOs remain skeptical of the so-called “public” cloud-viewed by some as essentially space merchants—few, if any, are willing to give up direct control of protected health information. On the other hand, some CIOs are more amenable “private” cloud models, in the form of vendor-hosted solutions or virtualized environments.

One proponent of this view is Kirk Larson, vice president and CIO of Children’s Hospital Central California, in Madera, Calif. Children’s Hospital makes use of vendor-hosted storage services from athenahealth, Inc., Watertown, Mass., which supplies its ambulatory EMR; Emdeon, Nashville, Tenn., which supplies its revenue cycle solution; and Boston-based Iron Mountain, which handles the hospital’s vendor-neutral archive.

In addition to vendor-hosted solutions, he says his hospital also makes extensive use of the private cloud in another variation: as a virtualized environment (provided by VMware, Inc., Palo Alto, Calif.), for its primary electronic medical record, which is supplied by Westwood, Mass.-based MEDITECH. Under the virtualized model, the data is accessible through a virtualized desktop, but is stored in the hospital’s data centers, he explains.

“In our case, the importance of virtualizing is what drove us to the private cloud,” Larson says. “That enables us to keep our footprint to a reasonable size. Our data centers have not expanded at nearly the rate they had before virtualization, so there is an economic driver there.”

Children’s Hospital will continue to leverage cloud-based technologies for the foreseeable future, according to Larson. “I certainly expect that our internal private cloud will continue to expand,” he says. “We will always be open to vendor-based cloud solutions that meet our needs.” He also notes that Children’s Hospital is now in the process of developing a longer term strategy for its cloud usage. “My expectation is that we will continue to build in the cloud, and over time we will look at appropriate opportunities, where we can move things to the cloud,” he says.

At Children’s Hospital, having a business associate agreement that both parties—the covered entity and the cloud service provider—can live with is a must, Larson says. “One thing that is non-negotiable is that all data must be stored within U.S. borders. That’s something that should be covered in the business associate agreement,” he notes.

Mac McMillan, national chair of the HIMSS Privacy and Security Task Force (and CEO of the Austin, Texas-based Cynergis Tek, Inc. consulting firm), notes that the private cloud, whether hosted or on-site, offers a much greater degree of control for the provider organization that is using it, compared to the public cloud. “They know where their data is, they know who has access to it, and they have better control over the resources around it and the rules around it,” he says. In his view, the public cloud is not designed to support a heavily regulated or heavy security related environment such as healthcare, and is not suited for storage of clinical information.

Recent policy changes have put more pressure on healthcare provider organizations as well as cloud service providers, he says. Because of changes to the HIPAA (Health Insurance Portability and Accountability Act) Omnibus Rule, cloud service providers have now been designated as business associates with responsibilities to support the covered entity, he notes. He observes that there are quite a few changes that relate to the vendors, but also to the covered entity, in terms of whether the cloud vendor they are working with has the ability to respond to them in an effective manner.

Before entering into a contract, a hospital should consider how the vendor will be used, and what services it will be providing beyond data storage, and how those added responsibilities should be covered in a service level agreement, he says. McMillan also advises hospitals to make sure they have, in their business associate agreements, a provision that says if there is any change in the material environment, or if the vendor decides to change their business model, that they notify the hospital beforehand so that they can assess the effect on their data.

For additional coverage of the cloud, be sure to turn to the February issue of Healthcare Informatics.